TaoSecurity Blog

This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap . If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S. . I hope this book encourages attention at the highest levels of the US government and industry. Tweet

Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner . From the review : I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment. Tweet

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment , I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance. TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA. Tweet

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book. One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters. In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and...

I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts. First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume. Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however. Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China ...

I found it ironic to see the names Richard Bejtlich and MANDIANT appearing in the article How to reduce the losses caused by APT attack? The reason this is funny is that the article appears in a Chinese-language story, published by a site operating in Beijing! You can read the Google Translation if you can't read the original. According to Tianji Media Group : Established in January 1997, ChinaByte was the first IT news website in China. So, welcome to the APT coverage! Tweet

Thanks to the sharp eye of a colleague from a mailing list, I learned of the article Is China Really Cyberdragon? in the English-language China Daily newspaper. The article is by Tang Lan, deputy director of the Institute of Information and Social Development Studies, China Institutes of Contemporary International Relations (a state-directed research institute). His writing displays all of the class elements of what I call Chinese defensive propaganda, in this case specifically addressing APT intrusions. I'll cite a few examples so you know what I mean. Hacking poses a threat to both China and Western countries and politicizing the problem will be detrimental to all. The beginning of the article introduces the reader to the concept that China is just as much a victim of hacking as the West. This is the first invocation of "the victim card," which is a constant aspect of Chinese self-identity and international relations. Tang Lan then dismisses accusations that the C...

The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports: DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised. But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations . The government also is trying to shift over to other companies that act as digital notaries, he said. As you can see I highlighted two points. Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?" Regarding the second, I can't r...

Over the last week I've been watching a new National Geographic Channel documentary titled The Liquid Bomb Plot . It explains how British intelligence detected and thwarted an AQ operation to destroy at least seven aircraft flying from the UK to the US in August 2006. The show is excellent and features first-hand accounts, including key US personnel like Secretary Chertoff and General Hayden. I recommend watching this show because it demonstrates the tensions between the law enforcement and intelligence communities. The content also touches on the question of whether counter-AQ operations are legal affairs or military affairs. After the show you will be less likely to doubt the value of US and UK intelligence operations (and those of our allies), even after the demise of UBL. Furthermore, you can probably imagine how this sort of intel-centric operation is similar to the new sorts of wars we're fighting else -- i.e., in the digital domain. Tweet